SQL injection vulnerability in Go applications using the pgx PostgreSQL driver where SQL statements are built with string concatenation or fmt.Sprintf, allowing attackers to embed untrusted values directly into query text.
package main
import (
"context"
"fmt"
"github.com/jackc/pgx/v4/pgxpool"
)
type User struct {
ID int
Name string
Email string
}
// VULNERABLE: String concatenation
func getUserByID(pool *pgxpool.Pool, userID string) (*User, error) {
// DANGEROUS: Direct concatenation allows injection
query := "SELECT id, name, email FROM users WHERE id = " + userID
row := pool.QueryRow(context.Background(), query)
var user User
err := row.Scan(&user.ID, &user.Name, &user.Email)
return &user, err
}
// VULNERABLE: fmt.Sprintf with user input
func searchUsers(pool *pgxpool.Pool, name, status string) ([]User, error) {
// DANGEROUS: fmt.Sprintf builds SQL with user data
query := fmt.Sprintf(
"SELECT id, name, email FROM users WHERE name ILIKE '%%%s%%' AND status = '%s'",
name, status
)
rows, err := pool.Query(context.Background(), query)
if err != nil {
return nil, err
}
defer rows.Close()
var users []User
for rows.Next() {
var user User
rows.Scan(&user.ID, &user.Name, &user.Email)
users = append(users, user)
}
return users, nil
}
/*
Attacks:
userID = "1 OR 1=1 --" -> Returns all users
name = "'; DROP TABLE users; --" -> Drops table
*/package main
import (
"context"
"fmt"
"strconv"
"strings"
"github.com/jackc/pgx/v4/pgxpool"
)
type User struct {
ID int
Name string
Email string
}
// SECURE: Parameterized query with $1 placeholder
func getUserByID(pool *pgxpool.Pool, userIDStr string) (*User, error) {
// Validate input
userID, err := strconv.Atoi(userIDStr)
if err != nil {
return nil, fmt.Errorf("invalid user ID")
}
// Use $1 placeholder - pgx handles escaping
query := "SELECT id, name, email FROM users WHERE id = $1"
row := pool.QueryRow(context.Background(), query, userID)
var user User
err = row.Scan(&user.ID, &user.Name, &user.Email)
return &user, err
}
// SECURE: Parameterized query with $1, $2 placeholders
func searchUsers(pool *pgxpool.Pool, name, status string) ([]User, error) {
// Validate inputs
name = strings.TrimSpace(name)
if len(name) > 100 {
return nil, fmt.Errorf("name too long")
}
// Validate status against allowlist
validStatuses := map[string]bool{"active": true, "inactive": true}
if !validStatuses[status] {
return nil, fmt.Errorf("invalid status")
}
// Use $1, $2 placeholders
query := "SELECT id, name, email FROM users WHERE name ILIKE $1 AND status = $2 LIMIT 100"
rows, err := pool.Query(context.Background(), query, "%"+name+"%", status)
if err != nil {
return nil, err
}
defer rows.Close()
var users []User
for rows.Next() {
var user User
rows.Scan(&user.ID, &user.Name, &user.Email)
users = append(users, user)
}
return users, nil
}The vulnerable code uses string concatenation and fmt.Sprintf to build SQL queries, allowing SQL injection attacks where attackers can inject malicious SQL through user input (e.g., "1 OR 1=1 --" or "'; DROP TABLE users; --"). The secure version uses pgx parameterized queries with $1, $2, $3 placeholders and passes values as separate arguments to Query/Exec functions. This ensures user input is properly escaped and treated as data, not executable SQL. The secure code also implements input validation with allowlists and length checks as additional defense layers.
Go applications build SQL statements using string concatenation operators (+ or +=) to combine user input with SQL query fragments. This creates SQL injection vulnerabilities as special characters in user input aren't escaped, allowing attackers to modify query structure.
Sourcery automatically identifies sql injection from string-concatenated variables in pgx sql statements and many other security issues in your codebase.